What is the New FTC Safeguards Rule for Customer Information?

What does the Federal Trade Commission’s Standards for Safeguarding Customer Information (or the “Safeguards Rule” for short) actually do?

Put simply: Just what it sounds like it does.

The Safeguards Rule is a regulatory measure that mandates that businesses under the FTC’s jurisdiction meet legal standards for handling sensitive customer data, including developing, implementing, and maintaining an information security program equipped with administrative, technical, and physical safeguards.

The objective of this rule is threefold:

  • To ensure the security and confidentiality of customer information
  • To protect against anticipated threats or hazards to the security or integrity of such information
  • To guard against unauthorized access to information that could result in substantial harm or inconvenience to any customer

Recent updates to the Safeguards Rule now require more rigorous protections appropriate to emerging cyber threats. Key changes involve broader encryption and access control rules, multi-factor authentication requirements, assessments of security practices by third-party vendors, and forced security upgrades after any system changes.

Initially implemented in 2003 under the Gramm-Leach-Bliley Actextensive revisions took effect in 2021 to strengthen the data security safeguards that financial institutions must put in place.

In October 2023, the FTC amended the rule to create a data breach disclosure requirement. This amendment, which will go into effect on May 13, 2024, means non-banking financial institutions must notify the FTC as soon as possible and no later than 30 days after discovering a security breach involving the information of at least 500 consumers.

Also, one of the things that is important for a tax preparer is that when they apply for or renew their Preparer Tax Identification Number (PTIN) they are asked if there is a WISP in place at the firm.

So, what exactly is a “non-banking financial institution,” anyway?

Does your business count…and if so, how can you ensure compliance?

Let’s explore this in more depth.

To Whom Does the FTC Safeguards Rule Apply?

The Safeguards Rule applies broadly to businesses categorized as “financial institutions” that handle sensitive customer information. However, this designation encompasses far more than banks, credit unions, or investment firms.

Under Section 314.2(h) of the Code of Federal Regulations, “financial institutions” include any company significantly participating in financial activities or related services. Along with lenders and traditional finance groups, professional services organizations like accounting firms, tax preparation services, credit counseling agencies, and consultants or contractors fall under FTC authority.

More specifically, financial institutions subject to FTC Safeguards Rule compliance include businesses such as:

  • Mortgage brokers, lenders, and servicers
  • Loan brokers and originators
  • Financial/investment advisors and planners
  • Tax preparation firms
  • Credit counseling or repair agencies
  • Check cashing companies
  • Services supporting financial industry consumers like career counseling, travel agencies, or enterprise technology consultants
  • Third-party accounts receivable management companies
  • Retailers, dealerships, or service providers extending direct credit lines to customers
  • Businesses regularly transmitting consumer funds or facilitating payments

Essentially, any company that handles nonpublic financial data like bank account details, credit card numbers, income figures, credit scores, or other personal finance records must comply.

Businesses maintaining data on fewer than 5,000 consumers may qualify for exceptions, easing certain requirements. Nevertheless, maintaining prudent security is still vital given the increasing cybercriminal interest in small businesses as soft targets.

How Can Businesses Comply with the FTC Safeguards Rule?

Compliance with the Safeguards Rule requires a written information security program appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the customer information at hand.

The objectives of your company’s program must be:

  • To ensure the security and confidentiality of customer information,
  • To protect against anticipated threats or hazards to the security or integrity of that information and
  • To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

The rule defines “customer information” to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

This covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

What Are the Components of an Effective Information Security Program?

An effective modern information security program contains layered administrative, physical, and technical controls, including:

  • Encryption safeguarding data at rest and in transit
  • Firewalls, anti-malware, and intrusion prevention software
  • Access management via role-based permissions and multi-factor authentication
  • Vulnerability assessment, penetration testing, audit logging, and change monitoring
  • Secure backup and recovery capabilities
  • Employee training on handling data and recognizing threats
  • Incident response planning and policy enforcement

Furthermore, the FTC Safeguards Rule outlines some core elements businesses must integrate into their customized program:

  1. Appoint a Qualified Individual to Direct the Program: Designate a senior team member or external expert to spearhead safeguards. Retain oversight duties and ensure service providers meet requirements, too.
  2. Perform Initial and Recurring Risk Assessments: Inventory data flows and infrastructure. Analyze internal and external threats, evaluate existing controls, and outline requirements to address gaps.
  3. Implement Technical and Physical Safeguards: Encrypt data and restrict access to authorized users only by implementing principles of least privilege and separation of duties.
  4. Ensure Third Parties Maintain Adequate Security: Vet vendors to ensure appropriate protections are in place and required by contracts. Rapidly address any vendor-related vulnerabilities.
  5. Test Controls via Audits, Scans, and Monitoring: Continually verify program effectiveness via audits, vulnerability assessments, penetration testing, metrics tracking, system monitoring, and inspection of audit logs.
  6. Train Staff on Evolving Threats: Equip personnel to uphold protocols via security awareness training. Verify key roles stay current on emerging attack vectors.
  7. Continuously Refine Defenses: Evolve safeguards to address operational changes, new attack trends, risk assessment findings, and monitoring results.
  8. Prepare and Test an Incident Response Plan: Define a response strategy with procedures to contain, communicate, investigate rapidly, and remediate threats.
  9. Report Status to Leadership Annually: Apprise leadership and the board on program effectiveness, metrics, risks, vendor oversight, and recommendations.

Larger entities and those facing elevated risks or advanced cyber hazards may require additional controls, such as:

  • 24/7 automated attack detection
  • Verifying identity before data access
  • Restricting contractor credentials
  • Sandboxing untested applications

Why Does the FTC Safeguards Rule Matter for Businesses?

Maintaining robust safeguards to comply with the FTC Safeguards Rule protects customer trust, reputation, and bottom line. Data breaches carry severe financial damages — $4.45 million on average in 2023 — not to mention intangible brand and relationship costs.

As cybercriminals grow more sophisticated, merely reactive security is inadequate. By implementing systematic safeguards per the Safeguards Rule, you reduce the risks and promote continuity if incidents arise.

Need help making sense of all this and understanding the impact on your business?

The potential exposures from something as preventable as non-compliance with the Safeguards Rule make working with seasoned advisors an easy call, and our team stands ready to assist.

Would you like some help?

If you are a client and would like to book a consultation, call us at +1 (212) 382-3939 or contact us here to set up a time.

If you aren’t a client, why not? We can take care of your accounting, bookkeeping, tax, and CFO needs so that you don’t have to worry about any of them. Interested? Contact us here to set up a no-obligation consultation.

Stay informed

Interested in receiving updates in your mailbox? Check out our newsletter, full of information you can use. It comes out once every two weeks, and you can register for it below.